ClawHub

Twilio

v1.0.1

Integrate Twilio APIs for SMS, WhatsApp, Voice, Verify, and more via direct HTTP requests with webhook validation and operational best practices.

4· 2.1k·15 current·15 all-time
by@codedao12
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and reference files clearly describe Twilio REST surfaces (Messaging, Voice, Verify, Conversations, SendGrid, etc.) which matches the skill name. However the metadata does not declare any required environment variables or primary credential even though the instructions explicitly state 'Account SID and Auth Token (or API Key/Secret)' are required. That mismatch is notable.
Instruction Scope
The instructions stay within Twilio-related activities (HTTP requests to Twilio/SendGrid endpoints, webhook validation, rate-limit and operational guidance). They do not request access to unrelated system files or unusual external endpoints. The SKILL.md encourages security best practices (validate webhook signatures, do not log credentials).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write artifacts to disk or fetch remote code during install — low install risk.
!
Credentials
The skill requires sensitive secrets (Account SID/Auth Token or API Key/Secret, sender IDs, webhook URLs) per SKILL.md, but the registry metadata lists no required env vars or primary credential. The metadata fails to enumerate the credentials the skill will need at runtime; that omission reduces transparency and is a security concern. Additionally, SendGrid and Segment references imply additional credentials may be needed but are not declared.
Persistence & Privilege
always is false and the skill does not request persistent or elevated agent-wide privileges in the metadata. Normal autonomous invocation is allowed (disable-model-invocation is false), which is expected for skills; nothing requests modification of other skills or system configs.
What to consider before installing
This skill appears to be a documentation/guide for Twilio APIs and does not install code, but it will require your Twilio credentials (Account SID/Auth Token or API Key/Secret) and possibly SendGrid/Segment keys to do real operations. The registry metadata does not list those environment variables — ask the publisher why required credentials are not declared and confirm the skill's source/homepage before providing secrets. If you proceed: use least-privilege API keys, store them in a vault, provide ephemeral or scoped keys for testing, rotate or revoke keys after use, and verify webhook URLs and validation logic yourself. If you need provenance, request a homepage or repository link and a publisher statement explaining how and when your credentials will be used.

Like a lobster shell, security has layers — review code before you run it.

latestvk9743r1zrswjfx5hvr2q6hr45180ty99

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments